The attacker seems to be the admin of those two instances. Both instances have their registrations closed.

Edit: It is now open for both of them, or was already. I checked the Fediseer page for both instances and it still says that their registrations are closed.

Though it is suspicious that no captcha, email confirmation or manual approval is required for both of these instances. The admin of lemmy.doesnotexist.club seems to be inactive since their account creation yet this instance is still running. If the admin is the attacker, it could also be that they are the one behind the recent nicole spam.

https://gui.fediseer.com/instances/detail/chinese.lol

https://gui.fediseer.com/instances/detail/lemmy.doesnotexist.club

cross-posted from: https://hackertalks.com/post/8713785

The instances being used are

  • lemmy.doesnotexist.club
  • chinese.lol

Here is an example of the coordinated downvoting https://hackertalks.com/post/8692093

Of course its a controversial user who got someone angry enough to automated downvoting @DonaldJMusk@lemmy.today

But you can see every post they make gets 53ish downvotes from these two instances, plus some organic ones after a few hours.

Current downvoting Accounts

bot-list

LightIsland@chinese.lol MagnificentRow@chinese.lol FondKnowledge@chinese.lol SillyTowel95@chinese.lol HelplessDear@chinese.lol SomberBrain@chinese.lol InexperiencedCloset@chinese.lol NecessaryPerson11@chinese.lol ClosedEmployment@chinese.lol CoarseHair420@chinese.lol BurlyChampionship49@chinese.lol ZigzagNatural@chinese.lol QuestionableDirt@chinese.lol ProudDeparture@lemmy.doesnotexist.club JoyousDouble@chinese.lol UnitedPatience@chinese.lol MajesticArea@lemmy.doesnotexist.club SinfulConference@chinese.lol MoralDivide96@chinese.lol LeadingCarry65@chinese.lol FrillyOpinion38@lemmy.doesnotexist.club LimitedDiscount49@lemmy.doesnotexist.club ForkedScreen@chinese.lol MediumChemistry13@chinese.lol xXxLawfulGrassxXx@lemmy.doesnotexist.club VisibleSentence@chinese.lol AcidicLawyer90@lemmy.doesnotexist.club PriceySink14@lemmy.doesnotexist.club ExcellentBeach@chinese.lol VivaciousNews@lemmy.doesnotexist.club LankyIndependent32@lemmy.doesnotexist.club SpeedyFault@chinese.lol ConcreteHall89@lemmy.doesnotexist.club WorthyPoint12@lemmy.doesnotexist.club SurprisedAdult99@chinese.lol FlashyCrack@lemmy.doesnotexist.club MasculineBeing@chinese.lol RichWeird@lemmy.doesnotexist.club DryCash97@lemmy.doesnotexist.club AuthorizedChair@chinese.lol SlimKiss@lemmy.doesnotexist.club AromaticRoof78@lemmy.doesnotexist.club BewitchedInterview@lemmy.doesnotexist.club ImaginaryDraw@lemmy.doesnotexist.club PertinentGround@chinese.lol SinfulAssumption@lemmy.doesnotexist.club AwkwardAnybody30@lemmy.doesnotexist.club UnwillingRestaurant@lemmy.doesnotexist.club InsubstantialOven@lemmy.doesnotexist.club

A individual user airing their personal biases and manipulating lemmy isn’t good for the community, regardless of how you feel about their target. This is a really bad thing ™

    • asudox@lemmy.asudox.devOPEnglish
      20·
      6 days ago

      The bots are from those two instances as you can see in the screenshot. Furthermore, lemmy.doesnotexist.club has had dozens of bots since at least 2023 (2 years after domain creation. found via the web archive). Since at least 2023, the admin hasn’t been doing anything, or even interacting with anyone. That account seems pretty much dead. But they keep hosting the instance for some reason. It is also a possibility that someone else indeed is using these two instances because they are “abandoned”, but it is highly likely that it is the admin. It is very suspicious that the registrations have been open unguarded against bots since at least 2023. These two instances have been invaded with bots long ago, so defederation is still the right thing to do.

      I also don’t want to jump to conclusions, but I think the chances are pretty high that it indeed is the admin. It might lead us to whoever is behind the recent nicole spam.

        • asudox@lemmy.asudox.devOPEnglish
          5·
          6 days ago

          Well yeah, there is no concrete evidence that it is the admin (or the admins). But the hints I found seem to be pointing that they are the one behind this. Of course there is a possibility that it is someone else, but it baffles me why anyone would leave the registrations open for 2 years, keep the instance running, but never interact with the fediverse through it themselves. And this isn’t exactly like kbin.social, the admin eventually did respond and close down the instance (not to mention, the admin was still communicating with the people). This instance and its bots have been going on for over 2 years, with not even a single sign of activity from the admin(s).

          Nevertheless, defederation is the right thing to do right now. Unless concrete evidence is found, we could put this aside.

      • keegomatic@lemmy.worldEnglish
        2·
        5 days ago

        FWIW:

        1. Around then, captchas were turned off by default for a short period of time (very stupidly, IMO), if I remember correctly, and a lot of bots were registered on a good number of instances. It was also when a lot of new instances were sprouting up because Lemmy was just gaining momentum.
        2. I have personally let certain things I host go on for years without checking them, because developers have ADHD more often than not, and autopay will keep your zombie in service for a long time if it’s not making a dent big enough to make you shut it down (hosting a low-activity anything is not usually very expensive).

        Not impossible that it’s just an absent admin.